Probably the most expensive post-weekend-hackaton "git push" ever
But what will "Chinese hackers" do with 4.5 million patient records?
The Heartbleed flaw is responsible for the high-impact US hospital hacking attack disclosed this week, an unnamed investigator told Bloomberg. As many as 4.5 million patient records have been exposed in an attack against Community Health Systems, a US hospital group that manages more than 200 hospitals. China-based attackers …
"But if they are chinese, aren't they govnmt sponsored and out for warcrap and other dregs of civilization?"
Would you say that if they were American, or British, or even Russian? People are people, and I have heard that free enterprise is now flourishing in China. Along with its universal concomitant, crime. (The difference between a successful business and a criminal organization is purely a matter of degree - how willing those involved are to risk a prison sentence).
"One of the largest healthcare providers in the US claims Chinese hackers ran riot through its systems between April and June this year " reports El Reg
So yes, it's possible they were compromised before Heartbleed was announced and without a full security audit, didn't notice the "attack" in progress even if they patched up ASAP
A person "involved in the investigation who wasn’t authorised to comment publicly" blamed the Heartbleed OpenSSL bug...
"This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation
So, you define someone who blabs about an ongoing investigation, even though they are banned from commenting, as 'trusted'? It's a strange world that some people live in.
I would suggest sacking the entire team doing the investigation as at least one of them cannot be trusted, and therefore none of them can be trusted.
At what point do we stop blaming a bug which PATCHES HAVE BEEN RELEASED FOR and start blaming the idiotic network admins who fail to apply said patches?
The title of this story should be: "Dereliction of duty by Network Admins implicated in US hospital megahack"
They said the attacks occurred between April and June. The patches were released on April 7. I'll grant them 3 days to do emergency testing and patch their systems (which is way too much). That leaves approximately 80 days of time in which these attacks should have been stopped cold.
Sure, but note the breach point: a Juniper firewall. A quick search shows Juniper was not done updating their Heartbleed vulnerability advisories until April 30th. The patch advisory updates ran until May 6th. That falls right in the middle of the attack window. Without knowing the exact model, one can't say when the vulnerability was disclosed and when the patch was available.
Not saying this is the case, but poor Heartbleed seems to be supporting a really heavy load on it's shoulders. Data breach? Heartbleed. Security fuckup? Heartbleed. etc etc etc...
Maybe we should have a HB every month so that no f***wit that should be sacked on sight ever looses his job again.
Not that it happens a lot mind you, since "the system" seems to be tolerant towards negligent dimwits. Maybe because negligent dimwits are running "the system", go figure...
The trouble with Heartbleed is that they may have gotten the usernames and passwords pretty damn quick and once they have access it relies on the system admin to make sure that everyone that uses that system changes their password so that no access can be made to the system if it had been attacked.
Any Sys Admin worth their salt would have taken the stance as soon as the news broke that their system may have been attacked. Those that didn't should not have had jobs. Saying that they waited for notification is a pretty poor excuse. They should have checked themselves or proactively had it checked and had it patched.
This vulnerability showed no evidence of ever having been used all the cases where it has been used were after the patch was available and after the news broke.
I think you are very right the 'system' is very tolerant towards negligent dimwits.
It seems though that quite possibly there are other forms of hacking taking place and rather than admit that their system was hacked through other forms of negligence or lack of security companies are falling back on the
"Let's blame heartbleed"
rather than be honest. I suspect that in some of the cases that crawl out of the woodwork that Heartbleed is the fallguy rather than admit that other methods were used that may leave the company out in the line of fire for a lawsuit.
This outfit must be working the PR guys overtime. I just love how they do this crap and get away with it.
- "an unnamed investigator"
- A person "involved in the investigation who wasn’t authorised to comment publicly" blamed the Heartbleed OpenSSL bug
- "This confirmation of the initial attack vector was obtained from a trusted and anonymous source"
Anytime I want to know something I always go to an unnamed investigator who wasn’t authorised to comment publicly but learned this from a trusted and anonymous source.